Implementasi Penetration Testing Execution Standard Untuk Uji Penetrasi Pada Layanan Single Sign-On
Abstract
Increasing the use of single sign-on technology by electronic-based service providers in addition to providing benefits also creates vulnerability. Penetration testing needed to identify vulnerabilities and test system security by exploiting those vulnerabilities. This research implements the Penetration Testing Execution Standard (PTES) for penetration testing of single singn-on services. Seven stages of the penetration test had done and 12 vulnerabilities were identified, consisting of 3 medium vulnerabilities, 6 low vulnerabilities and 3 information vulnerabilities. Six cyberattacks have been carried out to exploit the vulnerability with the result of 3 successful attacks and 3 failed attacks. Based on the results of the vulnerability and exploitation analysis, recommendations are given consist of regular updating and patching efforts, configuration of the CSP header and content-type-option header on the web server and application server, validation of the host header configuration, x-content-type-options header and deactivation. x-forwarded- hosted on every web page, configure 'secure' flag on cookies, add metacharacter filter feature in source code, and limit login attempts. The results of the PTES’s implementation are proven to make it easier for testers to carry out penetration tests and effectively prevent disputes between testers and clients due to differences in the scope of testing.
References
Abu-Dabaseh, F., & Alshammari, E. (2018). Automated Penetration Testing : An Overview. CS & IT-CSCP, October, 121–129.https://doi.org/10.5121/csit.2018.80610
Aminudin, A. (2014). Implementasi Single Sign On (SSO) Untuk Mendukung Interaktivitas Aplikasi E-Commerce Menggunakan Protocol Oauth. Jurnal Gamma, 10(1), 109–115.
Goutam, A., & Tiwari, V. (2019). Vulnerability Assessment and Penetration Testing to Enhance the Security of Web Application. 2019 4th International Conference on Information Systems and Computer Networks, ISCON 2019, 601–605. https://doi.org/10.1109/ISCON47742.2019.9036175
Klíma, T. (2016). PETA: Methodology of Information Systems Security Penetration Testing. Acta Informatica Pragensia, 5(2), 98–117. https://doi.org/10.18267/j.aip.88
Musliyana, Z., Arif, T. Y., & Munadi, R. (2016). Peningkatan Sistem Keamanan Autentikasi Single Sign On (SSO) Menggunakan Algoritma AES dan One-Time Password Studi Kasus: SSO Universitas Ubudiyah Indonesia. Jurnal Rekayasa Elektrika, 12(1), 21. https://doi.org/10.17529/jre.v12i1.2896
Nagpure, S., & Kurkure, S. (2018). Vulnerability Assessment and Penetration Testing of Web Application. 2017 International Conference on Computing, Communication, Control and Automation, ICCUBEA 2017, 1–6. https://doi.org/10.1109/ICCUBEA.2017.8463920
Patel, K. (2019). A survey on vulnerability assessment penetration testing for secure communication. Proceedings of the International Conference on Trends in Electronics and Informatics, ICOEI 2019, Icoei, 320–325. https://doi.org/10.1109/ICOEI.2019.8862767
PTES, T. (2017). The Penetration Testing Execution Standard Documentation. 9.
Putri, T. D., Sugeng, W., & Katri, R. (2019). Sistem Otentikasi Login Dengan Single Sign-On Untuk Mengakses Banyak Sistem. MIND Journal, 4(2), 96–110. https://doi.org/10.26760/mindjournal.v4i2.17-31
Sahren, Ashari Dalimuthe, R., & Amin, M. (2019). Prosiding Seminar Nasional Riset Information Science (SENARIS) Penetration Testing Untuk Deteksi Vulnerability Sistem Informasi Kampus. September, 994–1001.
Shostack, A. (2013). Threat modeling : designig for security. In Journal of Chemical Information and Modeling (Vol. 53, Issue 9).
Tarigan, B. V., Kusyanti, A., & Yahya, W. (2017). Analisis Perbandingan Penetration Testing Tool Untuk Aplikasi Web. Jurnal Pengembangan Teknologi Informasi Dan Ilmu Komputer, 1(3), 206–214.
Wang, R., Zhou, Y., Chen, S., Qadeer, S., Evans, D., & Gurevich, Y. (2013). Explicating SDKs: Uncovering assumptions underlying secure authentication and authorization. Proceedings of the 22nd USENIX Security Symposium, August, 399–414.
Zhou, Y., & Evans, D. (2014). SSOScan: Automated testing of web applications for single sign-on vulnerabilities. Proceedings of the 23rd USENIX Security Symposium, 495–510.